[ISV-1953] Fix operator index image signing with manifest list retrival (#300)

[ISV-1953] Fix operator index image signing with manifest list retrival

Previously the pipeline was signing manifest digests straight from
IIB builds, when it should be the manifest list digests that's
retrieved from the registry, using on the IIB digests. This change
fixes that.

Author: wcheang

ansible/roles/operator-pipeline/templates/openshift/pipelines/operator-release-pipeline.yml

@@ -423,68 +423,85 @@ spec:
         - name: kerberos_keytab_secret_key
           value: "$(params.kerberos_keytab_secret_key)"
 
+    # use manifest list digests from IIB output and get the manifest digests from registry
+    - name: get-manifest-digests
+      runAfter:
+        - publish-bundle
+      taskRef:
+        name: get-manifest-digests
+      params:
+        - name: pipeline_image
+          value: "$(params.pipeline_image)"
+        - name: manifest_list_digests
+          value: "$(tasks.publish-bundle.results.manifest_list_digests)"
+        - name: environment
+          value: "$(params.env)"
+      workspaces:
+        - name: registry-credentials
+          workspace: registry-credentials
+
     # send UMB message for RADAS to sign the container image
-    # - name: request-signature
-    #   runAfter:
-    #     - publish-bundle
-    #   taskRef:
-    #     name: request-signature
-    #   params:
-    #     - name: pipeline_image
-    #       value: "$(params.pipeline_image)"
-    #     - name: manifest_digest
-    #       value: "$(tasks.publish-bundle.results.manifest_digests)"
-    #     - name: reference
-    #       value: "$(tasks.publish-bundle.results.docker_references)"
-    #     - name: requester
-    #       value: "amisstea"
-    #     - name: sig_key_id
-    #       value: "$(tasks.set-env.results.sig_key_id)"
-    #     - name: sig_key_name
-    #       value: "$(tasks.set-env.results.sig_key_name)"
-    #     - name: umb_ssl_secret_name
-    #       value: "$(params.pyxis_ssl_secret_name)"
-    #     - name: umb_ssl_cert_secret_key
-    #       value: "$(params.pyxis_ssl_cert_secret_key)"
-    #     - name: umb_ssl_key_secret_key
-    #       value: "$(params.pyxis_ssl_key_secret_key)"
-    #     - name: umb_client_name
-    #       value: "$(tasks.set-env.results.umb_client_name)"
-    #     - name: umb_url
-    #       value: "$(tasks.set-env.results.umb_url)"
-    #   workspaces:
-    #     - name: source
-    #       workspace: repository
-    #       subPath: signing
+    - name: request-signature
+      runAfter:
+        - get-manifest-digests
+      taskRef:
+        name: request-signature
+      params:
+        - name: pipeline_image
+          value: "$(params.pipeline_image)"
+        - name: manifest_digest
+          value: "$(tasks.get-manifest-digests.results.manifest_digests)"
+        - name: reference
+          value: "$(tasks.get-manifest-digests.results.docker_references)"
+        - name: requester
+          value: "amisstea"
+        - name: sig_key_id
+          value: "$(tasks.set-env.results.sig_key_id)"
+        - name: sig_key_name
+          value: "$(tasks.set-env.results.sig_key_name)"
+        - name: umb_ssl_secret_name
+          value: "$(params.pyxis_ssl_secret_name)"
+        - name: umb_ssl_cert_secret_key
+          value: "$(params.pyxis_ssl_cert_secret_key)"
+        - name: umb_ssl_key_secret_key
+          value: "$(params.pyxis_ssl_key_secret_key)"
+        - name: umb_client_name
+          value: "$(tasks.set-env.results.umb_client_name)"
+        - name: umb_url
+          value: "$(tasks.set-env.results.umb_url)"
+      workspaces:
+        - name: source
+          workspace: repository
+          subPath: signing
 
-    # - name: upload-signature
-    #   runAfter:
-    #     - request-signature
-    #   taskRef:
-    #     name: upload-signature
-    #   params:
-    #     - name: pipeline_image
-    #       value: "$(params.pipeline_image)"
-    #     - name: signature_data_file
-    #       value: "$(tasks.request-signature.results.signature_data_file)"
-    #     - name: pyxis_ssl_secret_name
-    #       value: "$(params.pyxis_ssl_secret_name)"
-    #     - name: pyxis_ssl_cert_secret_key
-    #       value: "$(params.pyxis_ssl_cert_secret_key)"
-    #     - name: pyxis_ssl_key_secret_key
-    #       value: "$(params.pyxis_ssl_key_secret_key)"
-    #     - name: pyxis_url
-    #       value: "$(tasks.set-env.results.pyxis_url)"
-    #     - name: signing_pub_secret_name
-    #       value: "$(params.signing_pub_secret_name)"
-    #     - name: signing_pub_secret_key
-    #       value: "$(params.signing_pub_secret_key)"
-    #     - name: verify_signature
-    #       value: "true"
-    #   workspaces:
-    #     - name: source
-    #       workspace: repository
-    #       subPath: signing
+    - name: upload-signature
+      runAfter:
+        - request-signature
+      taskRef:
+        name: upload-signature
+      params:
+        - name: pipeline_image
+          value: "$(params.pipeline_image)"
+        - name: signature_data_file
+          value: "$(tasks.request-signature.results.signature_data_file)"
+        - name: pyxis_ssl_secret_name
+          value: "$(params.pyxis_ssl_secret_name)"
+        - name: pyxis_ssl_cert_secret_key
+          value: "$(params.pyxis_ssl_cert_secret_key)"
+        - name: pyxis_ssl_key_secret_key
+          value: "$(params.pyxis_ssl_key_secret_key)"
+        - name: pyxis_url
+          value: "$(tasks.set-env.results.pyxis_url)"
+        - name: signing_pub_secret_name
+          value: "$(params.signing_pub_secret_name)"
+        - name: signing_pub_secret_key
+          value: "$(params.signing_pub_secret_key)"
+        - name: verify_signature
+          value: "true"
+      workspaces:
+        - name: source
+          workspace: repository
+          subPath: signing
 
     # Publish Vendor, Repository
     - name: publish-resources

ansible/roles/operator-pipeline/templates/openshift/tasks/get-manifest-digests.yml

@@ -0,0 +1,82 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: get-manifest-digests
+spec:
+  params:
+    - name: manifest_list_digests
+      description: |
+        Comma-separated list of manifest list digests generated by the IIB builds, in the
+        format of registry.redhat.io/redhat/test-index@sha256:123
+    - name: environment
+      description: |
+        Which environment the pipeline is running in. Can be one of [dev, qa, stage, prod]
+    - name: pipeline_image
+  results:
+    - name: docker_references
+      description: Comma-separated list of indices
+    - name: manifest_digests
+      description: Comma-separated list of manifest digests retrieved from registry
+  workspaces:
+    - name: registry-credentials
+      description: Docker config for retrieving the bundle image
+  steps:
+    - name: podman-manifest-inspect
+      image: "$(params.pipeline_image)"
+      script: |
+        set -xe
+
+        ENV=$(params.environment)
+
+        # no-op for dev or qa since IIB doesn't run
+        # output dummy/test values for signing purposes
+        if [[ $ENV == "dev" || $ENV == "qa" ]]; then
+          echo -n "registry.redhat.io/redhat/test-operator-index:v4.9" | tee "$(results.docker_references.path)"
+          echo "$(params.manifest_list_digests)" | awk -F '@' '{print $2}' | tee "$(results.manifest_list_digests.path)"
+          echo "Getting manifest digests is a NOOP for dev and qa environments at this time."
+          exit 0
+        fi
+
+        DIGEST_LIST=$(echo $(params.manifest_list_digests) | tr "," " ")
+
+        if [[ $ENV != "prod" ]]; then
+          export HTTP_PROXY="http://squid.corp.redhat.com:3128"
+          export HTTPS_PROXY="http://squid.corp.redhat.com:3128"
+
+          # TODO find a better way to set registry based on env
+          # Replace registry urls with stage urls when in preprod
+          DIGEST_LIST=${DIGEST_LIST//registry.redhat.io/registry.stage.redhat.io}
+        fi
+
+        # podman manifest inspect doesn't support any of the authfile options, this is the only way
+        cp $(workspaces.registry-credentials.path)/.dockerconfigjson $HOME/.docker/config.json
+
+        DOCKER_REFERENCES=""
+        MANIFEST_DIGESTS=""
+        for i in $DIGEST_LIST
+        do
+            REFERENCE=$(echo $i | awk -F '@' '{print $1}')
+
+            # remove version from reference before combining with sha
+            DIGEST=$(echo $REFERENCE | awk -F ':' '{print $1}')
+            DIGEST+=@$(echo $i | awk -F '@' '{print $2}')
+
+
+            MANIFEST_LIST=$(podman manifest inspect $DIGEST)
+            MANIFEST_LIST=$(echo $MANIFEST_LIST | jq -r '.manifests[].digest')
+
+            # create comma separated index images that match each digest
+            for j in $MANIFEST_LIST
+            do
+              DOCKER_REFERENCES+=$REFERENCE,
+            done
+
+            # parse json output of manifest inspect into comma separated list of manifest digests for signing
+            MANIFEST_DIGESTS+=$(echo $MANIFEST_LIST | tr " " ",")
+            MANIFEST_DIGESTS+=","
+
+        done
+
+        echo -n $DOCKER_REFERENCES | tee "$(results.docker_references.path)"
+        echo -n $MANIFEST_DIGESTS | tee "$(results.manifest_digests.path)"

ansible/roles/operator-pipeline/templates/openshift/tasks/publish-bundle.yml

@@ -25,10 +25,8 @@ spec:
       description: |
         Which environment the pipeline is running in. Can be one of [dev, qa, stage, prod]
   results:
-    - name: docker_references
-      description: Comma-separated list of indices
-    - name: manifest_digests
-      description: Comma-separated list of manifest digests generated by the IIB builds
+    - name: manifest_list_digests
+      description: Comma-separated list of image name + manifest list digests generated by the IIB builds
     - name: status
       description: Indicates a status of publishing a bundle to an index
   volumes:
@@ -96,8 +94,7 @@ spec:
                 echo "Publishing bundle to an index is a NOOP for dev and qa environments at this time."
                 echo -n "success" | tee "$(results.status.path)"
                 # output dummy/test values for signing purposes
-                echo -n "registry.redhat.io/redhat/test-operator-index:v4.9" | tee "$(results.docker_references.path)"
-                echo "$(params.bundle_pullspec)" | awk -F '@' '{print $2}' | tee "$(results.manifest_digests.path)"
+                echo -n "$(params.bundle_pullspec)" | tee "$(results.manifest_list_digests.path)"
                 exit 0
             ;;
         esac
@@ -110,11 +107,8 @@ spec:
           --from-index $FROM_INDEX \
           --indices $INDICES \
           --bundle-pullspec "$(params.bundle_pullspec)" \
-          --output manifest-digests.txt
+          --output manifest-list-digests.txt
 
 
         echo -n "success" | tee "$(results.status.path)"
-        # comma-separate list for signing input
-        REFERENCES="$(echo $(params.bundle_versions) | tr -d '[ ]')"
-        echo $REFERENCES | tee "$(results.docker_references.path)"
-        cat manifest-digests.txt | tee "$(results.manifest_digests.path)"
+        cat manifest-list-digests.txt | tee "$(results.manifest_list_digests.path)"

operator-pipeline-images/Dockerfile

@@ -4,6 +4,8 @@ LABEL description="Cli tools for operator certification pipeline"
 LABEL summary="This image contains tools required for operator bundle certification pipeline."
 
 ARG USER_UID=1000
+ARG PODMAN_USER_UID=1001
+
 
 USER root
 
@@ -31,6 +33,7 @@ RUN dnf update -y && \
     origin-clients \
     pinentry \
     pip \
+    podman \
     python3-devel && \
     dnf clean all
 
@@ -43,6 +46,11 @@ RUN curl -LO https://github.com/operator-framework/operator-registry/releases/do
 
 RUN useradd -ms /bin/bash -u "${USER_UID}" user
 
+RUN useradd -u "${PODMAN_USER_UID}" podman; \
+    echo podman:10000:5000 > /etc/subuid; \
+    echo podman:10000:5000 > /etc/subgid;
+
+
 WORKDIR /home/user
 
 COPY ./operator-pipeline-images ./

operator-pipeline-images/operatorcert/entrypoints/index.py

@@ -99,7 +99,7 @@ def publish_bundle(
     from_index: str,
     bundle_pullspec: str,
     iib_url: str,
-    index_versions: List[str],
+    indices: List[str],
     output: str,
 ) -> None:
     """
@@ -109,7 +109,7 @@ def publish_bundle(
         iib_url: url of IIB instance
         bundle_pullspec: bundle pullspec
         from_index: target index pullspec
-        index_versions: list of index versions (tags)
+        indices: list of original indices
         output: file name to output resulting manifest digests to
     Raises:
         Exception: Exception is raised when IIB build fails
@@ -120,6 +120,7 @@ def publish_bundle(
 
     payload = {"build_requests": []}
 
+    index_versions = parse_indices(indices)
     for version in index_versions:
         payload["build_requests"].append(
             {
@@ -140,10 +141,11 @@ def publish_bundle(
     ):
         raise Exception("IIB build failed")
     else:
-        extract_manifest_digests(index_versions, output, response)
+        extract_manifest_digests(indices, index_versions, output, response)
 
 
 def extract_manifest_digests(
+    indices: List[str],
     index_versions: List[str],
     output: str,
     response: Dict[str, Any],
@@ -152,11 +154,13 @@ def extract_manifest_digests(
     LOGGER.info("Extracting manifest digests for signing...")
     manifest_digests = []
     # go through each version to ensure order is the same as the indices list
-    for version in index_versions:
+    for i in range(0, len(index_versions)):
+        index = indices[i]
+        version = index_versions[i]
         for build in response["items"]:
             if build["index_image"].endswith(version):
                 digest = build["index_image_resolved"].split("@")[-1]
-                manifest_digests.append(digest)
+                manifest_digests.append(f"{index}@{digest}")
     with open(output, "w") as f:
         f.write(",".join(manifest_digests))
     LOGGER.info(f"Manifest digests written to output file {output}.")
@@ -202,7 +206,7 @@ def main() -> None:  # pragma: no cover
         args.from_index,
         args.bundle_pullspec,
         args.iib_url,
-        parse_indices(args.indices),
+        args.indices,
         args.output,
     )
 

operator-pipeline-images/operatorcert/entrypoints/request_signature.py

@@ -203,8 +203,8 @@ def request_signature(args: Any) -> None:
     """
     Format and send out a UMB message to request signing, and retry as needed.
     """
-    manifests = args.manifest_digest.split(",")
-    references = args.reference.split(",")
+    manifests = args.manifest_digest.strip(",").split(",")
+    references = args.reference.strip(",").split(",")
 
     if len(manifests) != len(references):
         LOGGER.error(